Observer GigaFlow

Documentation

Table of Contents

Observer GigaFlow Documentation

Documentation > How-To Guide for GigaFlow

Conducting Searches in GigaFlow

Search for Security Events Associated with an IP Address

To find out more about a particular IP address:

  • Enter an IP address in the main GigaFlow Search box at the top of the screen.
  • Click Go.
  • Select a reporting period and click Submit .

Click on Events tab in the panel on the left side of the screen.

The infographics and tables display all the security events associated with that IP address during the reporting period.

See Search and Events in the Reference Manual for more.

Searching for an IP address using GigaFlow Search.

Conduct a Search and Apply a Macro or Script

See Reports > System Wide Reports > Device Connections and Reports > System Wide Reports > MAC Address Vendors in the Reference Manual to find out get a list of MAC addresses associated with your network.

Search for a MAC Address

See Search in the Reference Manual for more.

Search for a MAC address to see what device it is connected to and the VLAN it is in:

  • Enter the entire MAC address into the search box.
  • You must enter the full address.
  • GigaFlow's MAC address search works for any standard MAC address format.

For example, searching for the MAC address c0:4a:00:2c:d4:06 on our demo network:

Expanding the MAC panel displays information:

  • MAC Address.
  • MAC Vendor.
  • Last Seen L3: Last seen on which Layer-3 device.
  • N: .
  • First Seen: date and time first seen on network.
  • Tools: ARP Entries, CAM Entries, Details.

Selecting ARPs from the links in Tools brings up the relevant ARP entries. From here, you can click an interface to access more information about the physical interface the device is connected to. The interface with the lowest MAC count is the connected interface.

  • Click Live Interface in the expanded ARPs panel to view the live in- and out- utilisation of the interface.
  • Live View also provides speed, duplex and error count information for the interface.

Live view of Interface-In and Interface-Out.

  • Click on Connections in the ARPs panel to see what other devices are connected to the same port.

Device connections.

Blue boxed text indicates any piece of information that allows you to conduct a follow-on search:

  • Click on the IP address follow-on search to find out if that address has been seen by any flow devices recently. The IP address search also shows any recent associated secflow data or events, i.e. blacklisted IP addresses and so on.
  • Click on the MAC address follow-on search link to find out where the device is physically connected.

Searching for an IP address using GigaFlow Search.

The Treeview, or Graphical Flow Map, will automatically load. This is a visual representation of the in- and out- traffic associated with a selected device.

To explore the Graphical Flow Map:

Graphical Flow Map.

  • Click on any icon to show more information.
  • Click on the Destination Apps icon or the Source Apps icon for a breakdown of the applications. You can click on these to expand the tree.
  • Move the pointer over icons to display the DNS Information of each device, showing how much traffic has been used.
  • Click + to see more devices in a tree of many branches.
  • The size of the line linking any two devices is proportional to the traffic volume between them.
  • Click on any line in the Treeview table to filter only inbound or only outbound traffic. This will open a report showing traffic for the past two hours.

Forensic Report: Application Flows.

Search for a Username

  • Enter a username, or part of a username, into the search box.
  • GigaFlow will tell you if that username, or any variation of it, has been seen on your network.
  • Click on any of the search results to display its associated information in the right-hand side panel.
  • Click the associated IP address.

Search for a Network Switch

To search for a specific network switch:

  • Enter the switch IP address into the search box.
  • Click the icon beside the displayed switch; this will open the Device Connections table.
  • The Device Connections table shows connections to any one port on any one VLAN.
  • You can filter information by entering an interface, or device etc., into the search bar at the top-right of the table.

To make a follow-on search from a specific device or switch:

  • Using switches from previously displayed tables, you can search for any switches of similar origin, e.g containing the same name elements.
  • Click on the desired switch; this reopens the Device Connections table.
  • You can also search by VLAN.
Apply a Macro (or Script) to a Switchport

Using GigaFlow Search, enter a known IP address associated with switch or the switch name and search:

Searching for a Switch.

  • Click on the the displayed switch name, in this case SG200-26(172.21.21.250).
  • Click on Int Tools in the Tools section of the right-hand side panel.

Interface tools.

  • Click on Interfaces next to Overview, at the top of the page.

Interface tools.

  • Find the interface that the script will run on.
  • On that interface click IF Script Test in the last column on the right.
  • Add the ticket number into the description field.
  • Select the script.
  • Click Submit.
  • GigaFlow will check that the interface is not an uplink to another switch.
  • The script will be applied to the switch.